Russia Hacked Routers to Steal Microsoft Office Tokens

<p>Hackers linked to Russia&#8217;s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from <strong>Microsoft Office</strong> users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.</p> <p>Microsoft said in <a href="https://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/" target="_blank" rel="noopener">a blog post</a> today it identified more than 200 organizations and 5,000 consumer devices that were caught up in a stealthy but remarkably simple spying network built by a Russia-backed threat actor known as &#8220;<strong>Forest Blizzard</strong>.&#8221;</p> <div id="attachment_73429" style="width: 774px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-73429" decoding="async" loading="lazy" class="size-full wp-image-73429" src="https://krebsonsecurity.com/wp-content/uploads/2026/04/lumen-forestblizzard.png" alt="" width="764" height="353" /><p id="caption-attachment-73429" class="wp-caption-text">How targeted DNS requests were redirected at the router. Image: Black Lotus Labs.</p></div> <p>Also known as <a href="https://attack.mitre.org/groups/G0007/" target="_blank" rel="noopener">APT28</a> and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia&#8217;s General Staff Main Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.</p> <p>Researchers at <strong>Black Lotus Labs</strong>, a security division of the Internet backbone provider <strong>Lumen</strong>, found that at the peak of its activity in December 2025, Forest Blizzard&#8217;s surveillance dragnet ensnared more than 18,000 Internet routers that were mostly unsupported, end-of-life routers, or else far behind on security updates. A <a href="https://www.lumen.com/blog-and-news/en-us/frostarmada-forest-blizzard-dns-hijacking" target="_blank" rel="noopener">new report</a> from Lumen says the hackers primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers.</p> <p>Black Lotus Security Engineer <strong>Ryan English</strong> said the GRU hackers did not need to install malware on the targeted routers, which were mainly older <strong>Mikrotik</strong> and <strong>TP-Link </strong>devices marketed to the Small Office/Home Office (SOHO) market. Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.</p> <p>As the U.K.&#8217;s <strong>National Cyber Security Centre</strong> (NCSC) notes in <a href="https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations" target="_blank" rel="noopener">a new advisory</a> detailing how Russian cyber actors have been compromising routers, DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, bad actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.</p> <p>English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by the attackers. Importantly, the attackers could then propagate their malicious DNS settings to all users on the local network, and from that point forward intercept any <a href="https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow" target="_blank" rel="noopener">OAuth authentication tokens</a> transmitted by those users.<span id="more-73422"></span></p> <div id="attachment_73428" style="width: 757px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-73428" decoding="async" loading="lazy" class=" wp-image-73428" src="https://krebsonsecurity.com/wp-content/uploads/2026/04/ms-dns-forestblizard.png" alt="" width="747" height="544" /><p id="caption-attachment-73428" class="wp-caption-text">DNS hijacking through router compromise. Image: Microsoft.</p></div> <p>Because those tokens are typically transmitted only <em>after</em> the user has successfully logged in and gone through multi-factor authentication, the attackers could gain direct access to victim accounts without ever having to phish each user&#8217;s credentials and/or one-time codes.</p> <p>&#8220;Everyone is looking for some sophisticated malware to drop something on your mobile devices or something,&#8221; English said. &#8220;These guys didn&#8217;t use malware. They did this in an old-school, graybeard way that isn&#8217;t really sexy but it gets the job done.&#8221;</p> <p>Microsoft refers to the Forest Blizzard activity as using DNS hijacking &#8220;to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains.&#8221; The software giant said while targeting SOHO devices isn&#8217;t a new tactic, this is the first time Microsoft has seen Forest Blizzard using &#8220;DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.&#8221;</p> <p>Black Lotus Labs engineer <strong>Danny Adamitis</strong> said it will be interesting to see how Forest Blizzard reacts to today&#8217;s flurry of attention to their espionage operation, noting that the group immediately switched up its tactics in response to <a href="https://www.ncsc.gov.uk/sites/default/files/documents/ncsc-mar-authentic_antics.pdf" target="_blank" rel="noopener">a similar NCSC report</a> (PDF) in August 2025. At the time, Forest Blizzard was using malware to control a far more targeted and smaller group of compromised routers. But Adamitis said the day after the NCSC report, the group quickly ditched the malware approach in favor of mass-altering the DNS settings on thousands of vulnerable routers.</p> <p>&#8220;Before the last NCSC report came out they used this capability in very limited instances,&#8221; Adamitis told KrebsOnSecurity. &#8220;After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable.&#8221;</p> <p>TP-Link was among the router makers <a href="https://krebsonsecurity.com/2025/11/drilling-down-on-uncle-sams-proposed-tp-link-ban/" target="_blank" rel="noopener">facing a complete ban</a> in the United States. But on March 23, the <strong>U.S. Federal Communications Commissio</strong>n (FCC) took a much broader approach, <a href="https://www.fcc.gov/document/fcc-updates-covered-list-include-foreign-made-consumer-routers" target="_blank" rel="noopener">announcing</a> it would no longer certify consumer-grade Internet routers that are produced outside of the United States.</p> <p>The FCC warned that foreign-made routers had become an untenable national security threat, and that poorly-secured routers present “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”</p> <p>Experts have countered that few new consumer-grade routers would be available for purchase under this new FCC policy (besides maybe Musk&#8217;s Starlink satellite Internet routers, which are produced in Texas). The FCC says router makers can apply for a special &#8220;conditional approval&#8221; from the Department of War or Department of Homeland Security, and that the new policy does not affect any previously-purchased consumer-grade routers.</p>